API Security and Management Best PracticesK Scott Morrison

CTO & Chief Architect

Feb 26, 2012

Researchers have discovered that the

national divorce rate has been falling since 2006…

2007: 3.6 divorces per 1000 people

2008: 3.5 divorces per 1000 people

2009: 3.4 divorces per 1000 people

Source: Slate http://slate.me/wGf9et

So, does this mean people are getting better at relationships?

No.

It’s because of the recession.

APIs are like a relationship

They require maintenance. high

^very high

This talk is about how to have a successful

relationship.API

Piece of Advice #1

Best Practice #1

It takes two to tango.

The Web wasn’t a relationship

Successful relationships

are built on trust and equality

Equal, but different

BP #2

Understand and respect the cultural

differences.

Client Server

Inside Outside

Us Them

Contractor

Regular

Contractor

RegularPartner

Partner RegularNo Affiliation

The New Identity Management

API Users API DevelopersExternal Internal

APIs change composition of internal teams

CFOAPI

Developer

Security Officer

Business Manager

Product Manager

BP #3

Memorize this simple equation.

API Development !=Web Development

Beware of habits

BP #4

Take security away from developers.

API Server

API Proxy

Security Expert

API Expert

Shift securit

y

responsibilit

y

Separation of Concerns

BP #5

Trust, but verify.

Source: https://xkcd.com/327/

SQL Injection (courtesy XKCD)

Exploits of a Mom

BP #6

SSL everywhere.

It’s Cheap

BP #7

It’s still all about access control.

But think hard about tokens

BP #8

Don’t roll your own.

Security is hard to get right

BP #9

Manage misconfiguration risk

with appliances.

Secure Zone

API Server

Firewall

DMZ

API Client

Protect the Servers

Enterprise Network

API Proxy

BP #10

Engage the developers.

The New Governance

DocumentationDiscoveryApprovalEnforcementUser ProvisioningCommunity

WSDLReg/RepG10 PlatformGatewayIAMWhat’s that?

Wiki/BlogSearchEmailGatewayPortalForum

Old New

What’s that?

The Layer 7 API Developer Portal

Firewall

Enterprise Network

API Server

API Client

iPhone Developer

API Portal

API Proxy

To Summarize:

The game has changed Clients need attention

The security problems are the same But the names have changed

Don’t just build APIs Build secure and managed APIs

Don’t Miss @RSA Conference 2012

ASEC-402: Hacking’s Gilded Age: How APIs Will Increase IT Risk

K. Scott Morrison Friday, March 02 10:10 a.m. Room 302

STAR-402: Enterprise Access Control Patterns for REST and Web API

Francois Lascelles Friday, March 02 10:10 a.m. Room 304

Yes, they are at the same time. You must choose…

Picture Credits Antelope Canyon 4 by klsmith– stock.exchg Band silhouettes by mr_basmt– stock.exchg

February 2012

K. Scott MorrisonChief Technology Officer & Chief Architect

Layer 7 Technologies1100 Melville St, Suite 405Vancouver, B.C. V6E 4A6Canada(800) 681-9377

smorrison@layer7tech.comhttp://www.layer7tech.com

For further information: